Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

1M Downloads Later, Google Pulls Phony WhatsApp From Google Play

An adware-laden phony WhatsApp download has been removed from Google Play and the developer’s account suspended, but not before it was downloaded one million times.

Google has removed a phony WhatsApp download from Google Play and suspended the developer’s account, but not before the ad-spewing app was downloaded more than one million times.

The unwanted app, called Update WhatsApp Messenger, was disclosed by a handful of Redditors over the weekend who said the adware was also calling out to the internet for additional Android APK downloads to their devices.

“I’ve also installed the app and decompiled it (at right). The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk,” said a Reddit user with the handle Dextersgenius. “The app also tries to hide itself by not having a title and having a blank icon.”

Google confirmed the app was removed and the developer’s account suspended for program policy violations.

Despite Google’s documented success at catching malicious and unwanted mobile apps on Google Play and removing them from user’s devices, this one snuck through. Like other recent spammy and adware-laden campaigns, the developer used a hidden Unicode character to make this app look legitimate.

One Redditor with the handle rookie_e pointed out that the listing for this app included an extra space after the name: “WhatsApp Inc. ” The space was instead a Unicode character that looked like a space with a hex code C2A0 allowing it to slip past Google’s malware scanners for its marketplace.

Android apps that are submitted to Google Play are first scanned for malware and behaviors that would classify it as a potentially unwanted app before they are published. Google has taken steps as well to catch malicious apps earlier in the process while still facilitating legitimate app developers.

In May, Google introduced Play Protect, a new security feature that maintains some oversight on content downloaded to Android devices. For example, previously downloaded apps can be continually scanned for malicious behaviors as a counter to developers who push benign apps to Google Play that later connect and download malicious components. This also helps provide a line of defense against apps downloaded from third-party stores that aren’t subject to Google’s malware scanners. Google said in May that Play Protect will be capable of scanning and verifying up to 50 billion apps on a daily basis.

Unicode, meanwhile, remains an apparently solid strategic option for unscrupulous developers who want to slip these types of unwanted apps and even extensions onto Google Play and the Chrome Store, respectively.

Three weeks ago, Google removed a malicious Chrome extension posing as Ad Block Plus that had been downloaded more than 38,000 times. The popular Swift on Security Twitter account exposed the issue about this and two other extensions, one falsely claiming 10 million downloads. The developer used Cyrillic Unicode characters in the extension name allowing the malicious plugins to again sidestep Google’s malware filters.

Attackers have also used Unicode characters to falsify domain names, creating the potential for phishing attacks at scale. Google patched weakenesses in Chrome in April that facilitated this type of abuse. The flaw, known as Punycode, relies on tricking Chrome into bringing users to sites that appear legitimate. The sites could then convince victims to enter personal login or financial credentials.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.